You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ideally, when I design an endpoint, I should be able to say how each method is authorized. In OAuth, we use scopes to determine the extent of access granted for an access_token ("AT"). The AT may be a value token: a JWT requiring signature validation (and auto-fetching of the current keys). The AT may also be a reference token: a guess-resistent identifier requiring OAuth token introspection. In either case, the AT should contain the scope claim, which is a space-delimited list of scopes (normally in URI format).
In the example below, the swagger doc is saying that to do a GET on the persistence endpoint, you need to present a token with either the properties.read OR properties.write scope
/jans-config-api/api/v1/jans-auth-server/config/persistence:
get:
summary: Returns persistence type configured for Jans authorization server.
description: Returns persistence type configured for Jans authorization server.
operationId: get-properties-persistence
security:
- oauth2: [properties.read, properties.write]
For extra credit, you can consider how the scopes are combined. Can you use AND instead of OR for a given endpoint? For more complex booleans, you could support JSONLogic syntax.
The text was updated successfully, but these errors were encountered:
Unfortunately, right now we don't support in-depth security requirements analysis (token validation, scope checks and etc.). API-Firewal just checks that you have an "Authorization" header without validation of its content. But we have some ideas regarding integration with OAuth services in the API-Firewall roadmap.
Could you please provide any details regarding OAuth provider you are using? It will help us to adjust our tasks.
Ideally, when I design an endpoint, I should be able to say how each method is authorized. In OAuth, we use scopes to determine the extent of access granted for an access_token ("AT"). The AT may be a value token: a JWT requiring signature validation (and auto-fetching of the current keys). The AT may also be a reference token: a guess-resistent identifier requiring OAuth token introspection. In either case, the AT should contain the
scope
claim, which is a space-delimited list of scopes (normally in URI format).In the example below, the swagger doc is saying that to do a GET on the persistence endpoint, you need to present a token with either the properties.read OR properties.write scope
For extra credit, you can consider how the scopes are combined. Can you use AND instead of OR for a given endpoint? For more complex booleans, you could support JSONLogic syntax.
The text was updated successfully, but these errors were encountered: